Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
604
Views
0
Helpful
2
Replies

How to allow inside hosts http access an IP bound to the outside?

Go to solution
mhcraig
Level 1
Level 1

‎07-23-2010 10:19 AM - edited ‎03-11-2019 11:15 AM

Is it possible to allow hosts behind the inside interface to make (web) requests to IPs that are bound to the outside *without* using DNS to point to the inside IP for the web server?

Example:
Public FQDN www.domain.com --> 5.5.5.5
This site is hosted/bound on 10.10.10.10 behind the PIX eth-inside interface

Current Static rule to allow internet users to access the web server that is behind eth-inside. This works fine for internet users obviously:
static (eth-inside,eth-outside) 5.5.5.5 10.10.10.10 netmask 255.255.255.255

...but I need to allow *inside* hosts to make HTTP requests to "www.domain.com" (aka 5.5.5.5 publicly) and pull up the web site that is really bound to 10.10.10.10.

Note: Unfortunately with our situation it isn't feasible to simply use internal DNS or something like a hosts file to point to the local IP for requests made to that hostname. There are thousands of FQDNs using many different domains and management wouldn't be possible.

I was hoping I could tell the PIX if a packet arrives on eth-inside and is bound for an IP bound to eth-outside then send it right back in to the local IP (in this case 10.10.10.10).

Is this possible?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-23-2010 10:29 AM

Hello,

You have couple of solutions based on your setup. From your description, it

seems like you are using internal DNS server. So, you can do the following:

static (eth-inside,eth-inside) 5.5.5.5 10.10.10.10 netmask 255.255.255.255

global (eth-inside) 1 interface

nat (eth-inside) 1 0.0.0.0 0.0.0.0

same-security-traffic permit intra-interface

http://www.cisco.com/en/US/products/ps6120/products_configuration_example091

86a00807968d1.shtml#solution2

This will U-Turn the traffic and make sure that all your internal hosts can

access the web-server using its public IP address.

Hope this helps.

Regards,

NT

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-23-2010 10:29 AM

Hello,

You have couple of solutions based on your setup. From your description, it

seems like you are using internal DNS server. So, you can do the following:

static (eth-inside,eth-inside) 5.5.5.5 10.10.10.10 netmask 255.255.255.255

global (eth-inside) 1 interface

nat (eth-inside) 1 0.0.0.0 0.0.0.0

same-security-traffic permit intra-interface

http://www.cisco.com/en/US/products/ps6120/products_configuration_example091

86a00807968d1.shtml#solution2

This will U-Turn the traffic and make sure that all your internal hosts can

access the web-server using its public IP address.

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
mhcraig
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-23-2010 10:43 AM

I implemented your solution and it worked perfectly as far as I can tell with my initial tests.

Many thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card